{
	"id": "d3b07c04-7d30-41b6-af34-4b299b58d497",
	"created_at": "2026-04-06T00:07:16.883543Z",
	"updated_at": "2026-04-10T03:37:01.092058Z",
	"deleted_at": null,
	"sha1_hash": "8327994b2b2e0068cfdbc9b462da145b26862bd8",
	"title": "Tinker Telco Soldier Spy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33970,
	"plain_text": "Tinker Telco Soldier Spy\r\nArchived: 2026-04-05 12:40:24 UTC\r\nGo back\r\nChina-based threat actors have persistently targeted the telecommunications sector for many years. In this talk,\r\nPwC Threat Intelligence (PwC TI) analysts will share their research and present on case studies for several China-based threats currently targeting telcos prolifically, including well-known threats such as GALLIUM, who PwC\r\ntracks as Red Dev 4, and lesser-known threat actors which have never been publicly disclosed before.\r\nSpecifically, Will and Ben will discuss some of the common tactics, techniques, and procedures (TTPs) these\r\nadversaries are using to compromise telcos, including some of their vulnerability preferences, and the strategic\r\nbackdrop and objectives motivating this targeting.\r\nIntroduction\r\nWe’ll begin by briefly setting the scene, with a discussion of the China-based threat landscape more broadly,\r\nparticularly as it relates to telecommunications. This will include discussion of some of the wider targeting we’ve\r\nseen previously.\r\nRed Dev 4 / GALLIUM\r\nNext, we’ll discuss a specific example: Red Dev 4 (a.k.a. GALLIUM) is a China-based threat actor which has\r\ncompromised telecommunications entities globally. There has been no public reporting on GALLIUM since 2019,\r\nhowever, we assess that it remains active as of at least March 2022.\r\nWe will discuss some of the recent techniques we’ve seen Red Dev 4 use to maintain footholds within victim\r\nenvironments, such as the delivery of SoftEther VPN clients configured to connect to threat actor-owned\r\ninfrastructure. This will allow us to demonstrate techniques to track similar activity, and to discover victims in\r\nnetwork telemetry. We will also reference SoftEther configuration files submitted to an online multi-antivirus\r\nscanner by victims, the contained log files of which have assisted in identifying further malicious activity in\r\nvictim networks.\r\nLastly, we will reference victimology and demonstrate how this reflects geopolitical activities and therefore\r\nsuggests the targeting aligns with China’s strategic aims.\r\nRed Menshen\r\nNext, we’ll introduce a threat actor we track as Red Menshen. We first discovered this actor in 2021, when we\r\ndetected a sample of a Linux backdoor we track as BPFDoor. We will briefly highlight some of the functionality\r\nof BPFDoor, and the ways in which Red Menshen uses it to maintain stealthy persistence and move laterally\r\nwithin victim environments.. Based on this analysis, we were able to identify victims in the telecommunications,\r\ngovernment, and education sectors throughout Asia.\r\nhttps://troopers.de/troopers22/talks/7cv8pz/\r\nPage 1 of 2\n\nBy analyzing network telemetry related to the victims we discovered, we were able to discover recent Red\r\nMenshen infrastructure, and to uncover the threat actor’s upstream infrastructure. This led to the discovery of the\r\nsuspected compromise of several hundred routers in Taiwan, which are used as proxies in order to access threat\r\nactor infrastructure and browse to websites.\r\nConclusions\r\nWe will conclude by discussing the wider motivations of China’s ongoing exploitation of telecommunications\r\nproviders. This spans a wide range, from targeting information on specific subscribers, to potentially developing\r\naccess to core networks which can later be exploited for intelligence value. We assess that it is highly likely that\r\ntelecommunications organisations will remain a key target for China-based threat actors. ***** ##### Attendee\r\ntakeaways 1. The talk will advance public knowledge of nation-state cyber threats against the telecommunications\r\nindustry worldwide.\r\n1. We will share in-depth threat intelligence about sophisticated nation state threat actors that has not been\r\npublicly disclosed before, including their techniques and targeting.\r\n2. Attendees will leave with a better understanding of how to identify, and defend against, these threat actors’\r\noperations and how to better secure their environments against compromise.\r\nSource: https://troopers.de/troopers22/talks/7cv8pz/\r\nhttps://troopers.de/troopers22/talks/7cv8pz/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://troopers.de/troopers22/talks/7cv8pz/"
	],
	"report_names": [
		"7cv8pz"
	],
	"threat_actors": [
		{
			"id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd",
			"created_at": "2022-10-25T15:50:23.264584Z",
			"updated_at": "2026-04-10T02:00:05.334294Z",
			"deleted_at": null,
			"main_name": "GALLIUM",
			"aliases": [
				"GALLIUM",
				"Granite Typhoon"
			],
			"source_name": "MITRE:GALLIUM",
			"tools": [
				"ipconfig",
				"cmd",
				"China Chopper",
				"PoisonIvy",
				"at",
				"PlugX",
				"PingPull",
				"BlackMould",
				"Mimikatz",
				"PsExec",
				"HTRAN",
				"NBTscan",
				"Windows Credential Editor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4",
			"created_at": "2023-01-06T13:46:39.358343Z",
			"updated_at": "2026-04-10T02:00:03.300601Z",
			"deleted_at": null,
			"main_name": "Red Menshen",
			"aliases": [
				"Earth Bluecrow",
				"Red Dev 18"
			],
			"source_name": "MISPGALAXY:Red Menshen",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9faf32b7-0221-46ac-a716-c330c1f10c95",
			"created_at": "2022-10-25T16:07:23.652281Z",
			"updated_at": "2026-04-10T02:00:04.702108Z",
			"deleted_at": null,
			"main_name": "Gallium",
			"aliases": [
				"Alloy Taurus",
				"G0093",
				"Granite Typhoon",
				"Phantom Panda"
			],
			"source_name": "ETDA:Gallium",
			"tools": [
				"Agentemis",
				"BlackMould",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Darkmoon",
				"Gen:Trojan.Heur.PT",
				"Gh0stCringe RAT",
				"HTran",
				"HUC Packet Transmit Tool",
				"LaZagne",
				"Mimikatz",
				"NBTscan",
				"PingPull",
				"Plink",
				"Poison Ivy",
				"PsExec",
				"PuTTY Link",
				"QuarkBandit",
				"Quasar RAT",
				"QuasarRAT",
				"Reshell",
				"SPIVY",
				"SinoChopper",
				"SoftEther VPN",
				"Sword2033",
				"WCE",
				"WinRAR",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Yggdrasil",
				"cobeacon",
				"nbtscan",
				"netcat",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c87ee2df-e528-4fa0-bed6-6ed29e390688",
			"created_at": "2023-01-06T13:46:39.150432Z",
			"updated_at": "2026-04-10T02:00:03.231072Z",
			"deleted_at": null,
			"main_name": "GALLIUM",
			"aliases": [
				"Red Dev 4",
				"Alloy Taurus",
				"Granite Typhoon",
				"PHANTOM PANDA"
			],
			"source_name": "MISPGALAXY:GALLIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434036,
	"ts_updated_at": 1775792221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8327994b2b2e0068cfdbc9b462da145b26862bd8.pdf",
		"text": "https://archive.orkl.eu/8327994b2b2e0068cfdbc9b462da145b26862bd8.txt",
		"img": "https://archive.orkl.eu/8327994b2b2e0068cfdbc9b462da145b26862bd8.jpg"
	}
}